[00:02.870 --> 00:04.470]  Hi, good morning, everyone.
[00:04.830 --> 00:07.550]  I hope you're well and enjoying your virtual conference.
[00:07.930 --> 00:12.250]  My name is Ryan Rubin and today I'm going to be talking about decentralised finance.
[00:12.510 --> 00:14.050]  Is it ready for prime time?
[00:15.310 --> 00:17.830]  I'm really sorry not to be in Vegas today with all of you,
[00:17.830 --> 00:21.450]  but all I can say is here in the UK, it feels pretty hot
[00:21.450 --> 00:23.590]  and it's almost like we are in the desert.
[00:26.090 --> 00:27.890]  First, the usual disclaimer.
[00:27.890 --> 00:31.510]  I'd like to confirm that the views expressed in this talk are my own
[00:31.510 --> 00:35.870]  and are not representative of any views from my employer.
[00:36.370 --> 00:41.350]  Of course, no animals were hurt other than potential unicorns in this research.
[00:42.770 --> 00:46.190]  So today I'm going to give a quick introduction,
[00:46.190 --> 00:49.890]  give you a 101 on what decentralised finance is all about,
[00:50.410 --> 00:52.390]  talk a little bit about the attack landscape
[00:53.130 --> 00:57.590]  and how people might target this particular protocol.
[00:58.630 --> 01:03.050]  And then I'll also talk about a methodology that we've introduced,
[01:03.050 --> 01:06.270]  which effectively looks at key indicators of vulnerabilities
[01:06.270 --> 01:11.030]  and how we might be able to assess DEFI projects in the future.
[01:11.050 --> 01:14.870]  I'll present the results and wrap up with some conclusions.
[01:16.270 --> 01:20.670]  So a little bit about myself. My name is, once again, Ryan Rubin.
[01:20.670 --> 01:24.410]  I've been in the security industry for the last 23 years,
[01:24.410 --> 01:27.210]  covering a whole range of different topics.
[01:27.330 --> 01:31.890]  Last couple of years I've had a big interest in blockchain security
[01:31.890 --> 01:34.550]  as well as cyber insurance.
[01:34.830 --> 01:38.790]  And I'm looking forward to sharing some insights here today.
[01:39.010 --> 01:42.530]  I actually start this talk where I kind of left off last year
[01:42.530 --> 01:49.010]  when I presented a talk in the blockchain village on a cryptocurrency heist.
[01:49.010 --> 01:53.170]  And what I found quite interesting during that investigation
[01:53.170 --> 01:57.730]  was that as the attackers started to move their money and funds
[01:57.730 --> 02:00.390]  around the Ethereum blockchain,
[02:00.390 --> 02:05.610]  they started to put some of their funds into a DEFI platform
[02:05.610 --> 02:09.130]  and actually converted quite a lot into something called the DaiCoin,
[02:09.130 --> 02:11.070]  which I'd actually never heard of before.
[02:11.570 --> 02:13.890]  And after doing a bit of research,
[02:13.890 --> 02:19.930]  I got quite interested in the whole DEFI protocol
[02:19.930 --> 02:25.230]  and kind of the alternative finance options that it has.
[02:25.730 --> 02:29.770]  What startled me was that the attackers of this particular heist
[02:29.770 --> 02:31.630]  were obviously ahead of the game
[02:31.630 --> 02:36.510]  and realized that they needed to put their cryptocurrency somewhere
[02:36.510 --> 02:41.090]  in order to ensure that the pricing did not fluctuate
[02:41.090 --> 02:43.650]  and the value or the proceeds of their crime
[02:43.650 --> 02:48.470]  did not reduce as the price of Ethereum drops.
[02:49.990 --> 02:55.730]  But this talk is not just about hackers and fraudsters
[02:55.730 --> 02:59.870]  that might be leveraging various platforms
[02:59.870 --> 03:04.770]  to realize their investments in the blockchain world.
[03:05.050 --> 03:09.970]  It's actually more generally about many of us
[03:09.970 --> 03:12.050]  that may be looking at alternative ways
[03:12.050 --> 03:14.850]  of financing and investing in the future.
[03:17.270 --> 03:21.950]  So I came up with this research hypothesis which states,
[03:21.950 --> 03:25.850]  firstly, DEFI is becoming really popular
[03:25.850 --> 03:29.610]  and I'll talk a little bit about that as the show goes on.
[03:29.730 --> 03:32.450]  But as their popularity grows,
[03:32.450 --> 03:35.330]  can they withstand the various types of attacks
[03:35.770 --> 03:38.650]  that are going to be attracted by their popularity?
[03:39.990 --> 03:42.710]  Also, is there a way that we can measure the security posture
[03:42.710 --> 03:46.830]  of DEFI projects and do so in a way that's non-invasive?
[03:47.970 --> 03:50.730]  Of course, the assumption we have is that
[03:50.730 --> 03:55.110]  they must have good OPSEC in order to be in this business, right?
[03:58.080 --> 04:00.020]  So why carry out this research?
[04:00.020 --> 04:03.240]  Well, unfortunately, people are still getting hacked.
[04:03.780 --> 04:05.580]  There are several stories in the news
[04:05.580 --> 04:09.780]  and quite a few that I'll discuss as the talk unfolds
[04:09.780 --> 04:13.240]  indicating that there are still compromises out there.
[04:13.240 --> 04:15.700]  People are still making money out of this.
[04:15.940 --> 04:19.940]  And therefore, it's really important to raise awareness
[04:19.940 --> 04:24.220]  of security-related issues,
[04:24.220 --> 04:27.720]  not only to those in the security community,
[04:27.720 --> 04:31.100]  like many of you that are attending the talks today,
[04:31.100 --> 04:33.580]  but also those outside that community,
[04:33.580 --> 04:35.320]  including a lot of blockchain developers
[04:35.320 --> 04:41.740]  who, I understand, frequent the BCS village.
[04:43.080 --> 04:45.600]  I also wanted to use this research
[04:45.600 --> 04:47.620]  to try and build upon some of the work
[04:47.620 --> 04:48.960]  that others are doing in this space
[04:48.960 --> 04:52.960]  and try and move the industry forward in a positive direction.
[04:53.720 --> 04:56.060]  And finally, I think this research could also be helpful
[04:56.700 --> 05:00.520]  for both consumers, those in the insurance space,
[05:00.840 --> 05:04.540]  investors, and also owners of DEFI projects,
[05:04.540 --> 05:06.660]  because the last thing you want to be doing
[05:06.660 --> 05:11.200]  after spending weekends, hours, days, months, and years
[05:11.200 --> 05:12.720]  building up your DEFI project
[05:12.720 --> 05:14.860]  is find that it all goes down the drain
[05:14.860 --> 05:18.800]  because of some city security issue that we've got to close.
[05:21.280 --> 05:23.180]  So, DEFI 101.
[05:24.680 --> 05:27.000]  So, what is decentralized finance?
[05:27.000 --> 05:29.480]  Well, if we look at traditional finance products
[05:29.480 --> 05:31.680]  that you might buy from your bank today
[05:31.680 --> 05:34.320]  or some of the financial products
[05:34.320 --> 05:36.360]  that investment bankers are using,
[05:36.360 --> 05:38.420]  you can see that there are common trends
[05:38.900 --> 05:43.040]  around loans, derivatives, asset swaps,
[05:43.040 --> 05:46.340]  and even insurance that can be provided to each of us
[05:46.340 --> 05:50.560]  through a traditional banking environment.
[05:51.300 --> 05:53.800]  One of the issues and challenges with that
[05:54.320 --> 05:57.360]  is the centralized aspects of it.
[05:57.460 --> 06:01.160]  And what decentralized finance aims to do
[06:01.160 --> 06:06.000]  is to introduce a new way of establishing financial products
[06:06.000 --> 06:10.380]  that's both decentralized, not controlled in any way,
[06:10.380 --> 06:12.360]  is trustless and transparent.
[06:13.720 --> 06:18.960]  So, if we look at the DEFI set of protocols and applications,
[06:18.960 --> 06:21.320]  you can see that there's a whole range of different services
[06:21.760 --> 06:23.860]  that are being offered in the space.
[06:23.860 --> 06:25.640]  There's distributed exchanges,
[06:25.640 --> 06:28.120]  which remove some of the concerns
[06:28.120 --> 06:31.340]  that many people have around working
[06:31.340 --> 06:35.060]  with traditional centralized exchanges.
[06:35.220 --> 06:39.300]  There's a variety of different loan products
[06:39.300 --> 06:43.130]  that are out there where you can take your cryptocurrency,
[06:43.680 --> 06:45.500]  pass it onto a platform,
[06:45.500 --> 06:47.940]  and earn some interest in it
[06:47.940 --> 06:54.140]  instead of leaving that money to, let's say, decay over time.
[06:54.380 --> 06:56.260]  There's also the concept of stable coins
[06:56.260 --> 07:00.640]  where you can basically take your cryptocurrency,
[07:00.640 --> 07:02.760]  convert it into a stable coin,
[07:02.760 --> 07:04.880]  which is pegged against the US dollar
[07:04.880 --> 07:06.860]  or some other fiat currency.
[07:07.000 --> 07:08.740]  And that's another way of ensuring
[07:08.740 --> 07:11.140]  that your hard-earned cryptocurrency coins
[07:11.140 --> 07:13.740]  do not necessarily fluctuate in value
[07:14.260 --> 07:17.520]  as the market continues to be volatile.
[07:18.960 --> 07:21.420]  And, of course, all the other things
[07:21.420 --> 07:24.180]  like the asset swaps and derivatives that are also there.
[07:25.260 --> 07:27.180]  So how is this big as this market?
[07:27.180 --> 07:29.800]  Well, I found this quite fascinating,
[07:29.800 --> 07:31.140]  but earlier on in the year,
[07:31.140 --> 07:33.960]  the total value that was locked up
[07:33.960 --> 07:38.460]  in the DeFi various protocols and projects
[07:38.460 --> 07:40.840]  was around $1 billion.
[07:41.400 --> 07:43.160]  And over the last couple of months,
[07:43.160 --> 07:46.560]  it's actually shot up to just over $4 billion
[07:48.160 --> 07:50.420]  in value locked in.
[07:50.720 --> 07:52.420]  So what we can see here is there's
[07:52.420 --> 07:54.040]  this tremendous amount of growth
[07:54.040 --> 07:56.100]  that's taking place.
[07:56.200 --> 07:57.920]  And this may continue in the future
[07:58.300 --> 08:01.160]  as long as there aren't any big hacks
[08:01.160 --> 08:02.900]  that come up and the confidence
[08:03.360 --> 08:06.220]  in these products doesn't start to fail.
[08:06.600 --> 08:08.640]  In terms of distribution,
[08:08.640 --> 08:10.980]  you can see that from the lending side,
[08:10.980 --> 08:16.780]  that's one of the more popular platforms and products.
[08:17.020 --> 08:18.360]  I'm assuming that's because
[08:18.360 --> 08:20.400]  it's actually quite easy to understand.
[08:20.400 --> 08:22.480]  We're talking effectively about
[08:23.880 --> 08:26.080]  either borrowing money or loaning money
[08:26.080 --> 08:28.520]  into the system,
[08:28.520 --> 08:30.520]  and then getting some profits out of that
[08:30.520 --> 08:32.480]  through some additional interest
[08:33.540 --> 08:35.760]  or being able to leverage the loans
[08:35.760 --> 08:37.780]  in order to invest in other products
[08:37.780 --> 08:38.940]  in the system.
[08:39.500 --> 08:42.400]  Distributed exchanges, again, gaining some value.
[08:42.660 --> 08:45.560]  Derivatives and payments, still early days,
[08:45.560 --> 08:48.100]  but again, the facilities are there.
[08:48.100 --> 08:49.400]  And there's some very interesting ways
[08:49.400 --> 08:53.860]  in which these protocols can be configured,
[08:53.860 --> 08:56.580]  which cannot actually be set up in the real world.
[08:56.580 --> 08:59.040]  So I suspect the investment bankers out there
[08:59.040 --> 09:02.680]  will be looking at DeFi as it continues to mature
[09:03.380 --> 09:05.200]  and seeing how they can exploit
[09:05.200 --> 09:08.060]  some of the value that it can provide.
[09:10.840 --> 09:13.840]  So how can you earn passive income crypto style?
[09:13.840 --> 09:17.120]  Well, if you have a look on the left-hand side of the slide,
[09:17.120 --> 09:20.500]  you can see a number of different projects,
[09:20.500 --> 09:22.560]  DeFi projects that are out there,
[09:22.560 --> 09:24.460]  providing the various services that I mentioned,
[09:24.460 --> 09:27.980]  lending, derivatives, distributed exchanges,
[09:27.980 --> 09:29.660]  assets or stable coins.
[09:29.800 --> 09:31.400]  And you've got a whole pick there
[09:31.400 --> 09:34.900]  of different types of companies and platforms
[09:34.900 --> 09:36.400]  that you can go to.
[09:36.400 --> 09:38.660]  On the right-hand side, you can also see
[09:38.660 --> 09:40.980]  that as part of these platforms,
[09:40.980 --> 09:43.660]  there are also a variety of different interest rates
[09:43.660 --> 09:45.900]  associated with the different types of coins
[09:46.500 --> 09:49.360]  and tokens that you might want to invest in.
[09:49.360 --> 09:51.820]  So if you look at Nexo, for example,
[09:51.820 --> 09:53.520]  you can get an 8% return
[09:54.500 --> 09:58.380]  if you invest in one of their products
[09:58.380 --> 10:01.140]  and perhaps buy some die
[10:01.140 --> 10:06.680]  and look to get some value from that.
[10:07.160 --> 10:10.280]  If you go down the list, NUO, 13.68%.
[10:10.280 --> 10:13.440]  So when you're looking at these numbers,
[10:13.440 --> 10:15.580]  of course, you're not going to earn
[10:15.580 --> 10:18.140]  this type of return from a bank today.
[10:18.600 --> 10:21.680]  But of course, there's obviously a lot more risk involved in this
[10:21.680 --> 10:25.580]  and that's why these prices tend to fluctuate a lot.
[10:27.820 --> 10:29.420]  So before we go any further,
[10:29.420 --> 10:31.700]  I thought I'd just talk a little bit about some terminology.
[10:32.480 --> 10:33.780]  Firstly, crypto wallets.
[10:33.780 --> 10:36.620]  So many of you will be familiar with crypto wallets.
[10:37.260 --> 10:40.000]  This is the place where you have your private keys
[10:40.000 --> 10:43.200]  and you hold your cryptocurrency.
[10:43.380 --> 10:46.420]  And it's, of course, an area that you need to protect really well.
[10:46.420 --> 10:49.560]  In the context of distributed finance,
[10:50.720 --> 10:54.600]  the wallet is also used and can be the key
[10:54.600 --> 10:59.020]  towards holding source code or smart contracts.
[10:59.020 --> 11:00.300]  And that becomes quite important
[11:00.300 --> 11:03.620]  as we look at the security of these platforms.
[11:03.680 --> 11:08.560]  So when we look at platforms such as Ethereum, for example,
[11:08.560 --> 11:11.440]  it not only has a cryptocurrency, which is the Ether,
[11:11.440 --> 11:14.800]  but it has a whole distributed system available
[11:14.800 --> 11:18.140]  which is based on executing distributable code
[11:18.140 --> 11:20.880]  in the form of smart contracts.
[11:20.880 --> 11:23.280]  And once again, the control of those contracts,
[11:23.280 --> 11:26.840]  when they're uploaded, what the contents of them are, etc.,
[11:27.440 --> 11:30.340]  is all linked into the crypto wallets
[11:30.340 --> 11:32.880]  that's associated with those projects.
[11:33.220 --> 11:37.260]  In order to unlock those, we talk about admin keys.
[11:37.440 --> 11:40.940]  And these are kind of like the keys to the kingdom,
[11:41.720 --> 11:44.560]  almost similar to the domain administrator accounts
[11:44.560 --> 11:47.640]  in the Windows world, for those of you that are joining
[11:47.640 --> 11:50.400]  from the security community today.
[11:50.800 --> 11:53.280]  And effectively, if you get hold of these keys,
[11:53.280 --> 11:56.360]  you can do a whole lot of bad stuff,
[11:56.360 --> 12:00.440]  including potentially uploading or changing smart contracts.
[12:00.600 --> 12:02.300]  Now, why would that be important?
[12:02.300 --> 12:06.240]  Well, inside the wallet, we've got a whole lot of cash.
[12:06.400 --> 12:11.660]  And smart contracts define a way in which transactions
[12:11.660 --> 12:16.540]  can communicate and can take place over the blockchain.
[12:16.940 --> 12:20.040]  So if we have a wallet that has a lot of cash in it,
[12:20.040 --> 12:23.380]  and we have an ability to influence the logic
[12:23.380 --> 12:26.080]  by which that cash gets used,
[12:26.080 --> 12:28.240]  then it obviously can be very detrimental
[12:30.500 --> 12:32.900]  to the DeFi platform.
[12:33.620 --> 12:35.580]  There's also a concept of time lock.
[12:35.580 --> 12:40.980]  And this isn't got anything to do with going back in time.
[12:40.980 --> 12:43.940]  But what it is, is it's a method
[12:43.940 --> 12:48.000]  that owners of the DeFi platform can use
[12:48.000 --> 12:52.180]  to effectively slow down the transactions
[12:52.180 --> 12:55.220]  that are taking place on the blockchain.
[12:55.260 --> 13:02.040]  And this is very useful because it allows the owners
[13:02.040 --> 13:05.180]  or those that are governing the DeFi projects
[13:05.180 --> 13:09.700]  to potentially have a look at any unusual transactions
[13:09.700 --> 13:12.820]  and normally there's a time window,
[13:12.820 --> 13:16.460]  either it's four hours, 72 hours, 48 hours,
[13:16.460 --> 13:19.000]  that the owners of that platform
[13:19.000 --> 13:21.320]  or those that govern the platform
[13:21.320 --> 13:23.140]  can actually monitor the transactions
[13:23.140 --> 13:25.580]  and potentially reverse any transactions
[13:25.580 --> 13:28.300]  that have been introduced into the system
[13:28.300 --> 13:31.680]  by an unauthorized hacker
[13:31.680 --> 13:33.950]  or potentially even just by mistake.
[13:34.280 --> 13:37.900]  So that's something that's really key to look into.
[13:37.900 --> 13:41.060]  There's a big debate around decentralization
[13:42.380 --> 13:43.640]  and centralization, right?
[13:43.640 --> 13:44.680]  So we spoke at the beginning,
[13:44.680 --> 13:47.440]  the whole purpose of distributive finance
[13:47.440 --> 13:51.820]  is to have decentralized systems and finance
[13:51.820 --> 13:53.800]  that is not under anyone's control.
[13:54.480 --> 13:56.440]  And by putting in a time lock,
[13:56.440 --> 13:59.040]  we're effectively giving a level of that control
[13:59.040 --> 14:01.880]  back to the owners and those that run the project
[14:01.880 --> 14:03.660]  in order to better control it
[14:03.660 --> 14:07.060]  in the case of things going horribly wrong.
[14:07.060 --> 14:09.960]  But I think, you know, for most of us
[14:09.960 --> 14:13.000]  that are still, let's say,
[14:13.000 --> 14:15.540]  dabbling in this particular world,
[14:15.540 --> 14:18.920]  it's better to have some level of governance in place
[14:18.920 --> 14:21.780]  to protect the assets and information
[14:21.780 --> 14:24.640]  and, of course, the currencies that are in there.
[14:25.560 --> 14:27.140]  We also have the concept of an oracle
[14:27.140 --> 14:31.180]  and this can either be a system
[14:31.180 --> 14:35.480]  that's inside the decentralized ecosystem
[14:35.480 --> 14:38.240]  of the DeFi platform
[14:38.240 --> 14:41.400]  or it's something that the DeFi platform uses
[14:41.400 --> 14:45.660]  as a source of information in order to make decisions.
[14:45.940 --> 14:49.840]  So an oracle could, for example, be publishing prices
[14:49.840 --> 14:53.060]  for various types of coins, like I showed you earlier,
[14:53.060 --> 14:55.660]  that are coming from various exchanges
[14:55.660 --> 14:57.580]  and pumping that information
[14:57.580 --> 15:01.220]  back into the DeFi protocol and application
[15:01.220 --> 15:04.440]  so that it can use them in order to make decisions.
[15:04.440 --> 15:06.600]  Now, again, there's pros and cons
[15:06.600 --> 15:10.560]  on whether this oracle concept is a good idea or not.
[15:10.640 --> 15:14.560]  If we're looking to peg, for example,
[15:14.980 --> 15:16.660]  a currency against the dollar,
[15:16.660 --> 15:18.880]  then we do need an oracle that can tell us
[15:18.880 --> 15:20.160]  what the price of the dollar is
[15:21.040 --> 15:23.040]  and provide an accurate reflection
[15:23.040 --> 15:24.980]  of what's happening in the real world.
[15:25.140 --> 15:26.960]  So there are some benefits to it,
[15:26.960 --> 15:30.440]  but, of course, if we're able to influence
[15:30.440 --> 15:32.800]  or compromise the oracle,
[15:32.800 --> 15:34.560]  that can have devastating effects
[15:34.560 --> 15:36.980]  on the DeFi project.
[15:37.020 --> 15:39.220]  And finally, we talk about DApps
[15:39.220 --> 15:40.780]  or smart contracts.
[15:40.840 --> 15:42.880]  Once again, this is the source code
[15:42.880 --> 15:45.220]  that's been run on the blockchain.
[15:45.360 --> 15:48.120]  It's source code that is immutable.
[15:48.440 --> 15:51.480]  It runs forever on the blockchain.
[15:51.480 --> 15:52.900]  It's been signed.
[15:53.260 --> 15:55.260]  It's available to be reviewed
[15:55.260 --> 16:00.070]  and seen by those that transact with it.
[16:00.360 --> 16:02.240]  And it forms the heart of the logic
[16:02.240 --> 16:05.160]  behind the DeFi platform.
[16:06.220 --> 16:08.260]  Okay, so how does this work in practice?
[16:08.300 --> 16:10.120]  So I'll just give you a quick example.
[16:10.540 --> 16:12.940]  Let's take a cryptocurrency investor
[16:13.640 --> 16:16.660]  and she decides she's got some Bitcoin.
[16:16.820 --> 16:18.460]  She's really worried about the fluctuation
[16:18.460 --> 16:20.360]  of the Bitcoin, which I believe
[16:20.360 --> 16:22.960]  is about $11,000 today.
[16:23.160 --> 16:25.160]  If we went back a couple of months,
[16:25.160 --> 16:26.840]  it was a lot less than that.
[16:27.300 --> 16:29.500]  But if we went back maybe two or three years,
[16:29.500 --> 16:33.320]  we had obviously a real spike in the prices.
[16:33.500 --> 16:36.240]  So with her hard-earned Bitcoin,
[16:36.240 --> 16:37.960]  she's got a choice either to keep that
[16:38.350 --> 16:40.500]  in Bitcoin or to potentially
[16:41.700 --> 16:44.200]  loan it out to a DeFi platform
[16:45.000 --> 16:47.600]  and gain some interest or gain
[16:47.600 --> 16:49.810]  some potential value from that.
[16:50.160 --> 16:51.800]  So she deposits some Bitcoin
[16:51.800 --> 16:54.220]  into the DeFi platform.
[16:54.280 --> 16:55.420]  There'll be a smart contract
[16:55.420 --> 16:57.960]  within the DeFi platform that will
[16:57.960 --> 17:00.960]  effectively receive that Bitcoin.
[17:01.100 --> 17:02.440]  It might wrap it up
[17:02.700 --> 17:05.720]  or transfer it into a token.
[17:05.720 --> 17:07.140]  And in my case, I'm going to use
[17:07.140 --> 17:10.100]  the DAI token as an example.
[17:10.740 --> 17:12.400]  And that basically allows
[17:12.960 --> 17:15.800]  our investor to take these DAI tokens
[17:15.800 --> 17:18.900]  and potentially push them into other DeFi products
[17:18.900 --> 17:20.520]  in order to earn interest
[17:20.520 --> 17:23.720]  or potentially just to peg
[17:23.720 --> 17:26.060]  the value of that Bitcoin against the dollar
[17:26.060 --> 17:27.360]  one to one.
[17:27.360 --> 17:29.000]  Because as I mentioned,
[17:29.000 --> 17:30.500]  DAI coin is a stable coin
[17:31.060 --> 17:36.760]  which is linked to the dollar.
[17:37.120 --> 17:39.600]  So she can then take that DAI coin
[17:39.600 --> 17:41.660]  and actually push it into
[17:41.660 --> 17:43.700]  potentially another platform
[17:43.700 --> 17:47.440]  which might actually go ahead and invest
[17:47.440 --> 17:49.980]  that DAI coin into other products
[17:50.900 --> 17:52.800]  which then could actually generate
[17:52.800 --> 17:55.440]  some level of return for her.
[17:55.440 --> 17:57.220]  At some point,
[17:57.220 --> 17:58.500]  she might then decide
[17:58.500 --> 18:00.220]  there's been some growth
[18:00.220 --> 18:01.820]  or perhaps there's been some stability
[18:02.440 --> 18:03.680]  in the DAI coin
[18:03.680 --> 18:05.180]  that it's time to cash out
[18:05.180 --> 18:07.100]  and she wants her Bitcoins back.
[18:07.120 --> 18:09.020]  So she can go back to the platform
[18:09.020 --> 18:10.520]  and effectively
[18:11.160 --> 18:13.360]  the platform might again do some checks
[18:13.360 --> 18:14.140]  against the oracle
[18:14.140 --> 18:16.000]  to see the current price
[18:16.000 --> 18:19.020]  between the DAI and the Bitcoin
[18:19.740 --> 18:21.960]  and then push that Bitcoin back
[18:21.960 --> 18:23.700]  to her.
[18:23.700 --> 18:24.660]  Now of course,
[18:24.660 --> 18:26.560]  this is what would happen in theory
[18:26.560 --> 18:29.860]  but sometimes that money might disappear.
[18:30.380 --> 18:31.920]  Why might it disappear?
[18:31.920 --> 18:34.800]  Well, potentially the DeFi platform
[18:34.800 --> 18:37.740]  which is holding these Bitcoins
[18:37.740 --> 18:40.400]  may not still have the Bitcoins
[18:40.400 --> 18:42.320]  that were provided by her
[18:42.320 --> 18:46.040]  and by other cryptocurrency investors.
[18:46.800 --> 18:48.000]  It is also possible
[18:48.000 --> 18:49.440]  and we talk about liquidity
[18:49.440 --> 18:53.000]  that there simply isn't enough
[18:53.000 --> 18:56.320]  cryptocurrency inside the DeFi
[18:56.320 --> 18:57.680]  to be able to pay out
[18:57.680 --> 19:02.400]  all the people that have loaned its money
[19:02.400 --> 19:06.740]  and that could also potentially be a problem.
[19:06.900 --> 19:07.840]  Or of course,
[19:07.840 --> 19:11.080]  maybe somebody might intercept
[19:11.080 --> 19:13.620]  or influence the logic
[19:13.620 --> 19:15.080]  within the DeFi platform
[19:15.080 --> 19:18.540]  and basically change the smart contract
[19:18.540 --> 19:21.160]  to maybe push the money somewhere else
[19:21.160 --> 19:23.140]  rather than to the person
[19:23.140 --> 19:24.860]  that had requested it.
[19:25.360 --> 19:27.020]  So let's talk a little bit about
[19:27.020 --> 19:29.080]  the attacks on the blockchain
[19:29.080 --> 19:32.540]  and smashing stacks,
[19:32.540 --> 19:33.120]  breaking blocks
[19:33.120 --> 19:35.360]  or loosening the chains for profits.
[19:36.060 --> 19:37.420]  So once again,
[19:37.420 --> 19:39.000]  the high-level scenario
[19:39.000 --> 19:41.100]  of our investor
[19:41.820 --> 19:43.940]  or person that has some cryptocurrency
[19:43.940 --> 19:49.320]  looking to engage with the DApp ecosystem
[19:49.320 --> 19:54.160]  in order to get some value from their currency.
[19:54.800 --> 19:56.580]  You've got the Oracle and the exchanges
[19:56.580 --> 19:57.560]  on the right-hand side
[19:57.560 --> 20:00.500]  that this particular DeFi application
[20:00.500 --> 20:03.280]  or platform is relying on.
[20:03.280 --> 20:04.120]  And of course,
[20:04.120 --> 20:05.420]  we might have a corporate entity
[20:05.420 --> 20:06.840]  that is owning and running
[20:06.840 --> 20:10.380]  and governing the DeFi platform.
[20:10.440 --> 20:13.220]  So let's look at some of the potential attacks
[20:13.220 --> 20:15.960]  that could occur throughout this lifecycle.
[20:15.960 --> 20:17.780]  Firstly, from the user's perspective,
[20:18.920 --> 20:20.960]  users can be phished.
[20:20.960 --> 20:22.420]  Their passwords and keys
[20:22.420 --> 20:24.860]  could potentially be stolen.
[20:24.940 --> 20:27.500]  As we've seen in the case of the Twitter attack
[20:27.500 --> 20:30.060]  that happened just over a month ago,
[20:30.680 --> 20:33.220]  social engineering scams are possible too.
[20:33.300 --> 20:35.220]  So hackers might not necessarily get in
[20:35.220 --> 20:38.200]  and steal the keys,
[20:38.200 --> 20:39.880]  but if they can convince the person
[20:39.880 --> 20:41.920]  to transfer some money across,
[20:41.920 --> 20:44.500]  then they can lose that way.
[20:44.600 --> 20:45.380]  And of course,
[20:45.380 --> 20:47.080]  there are potential vulnerabilities
[20:47.080 --> 20:47.980]  in the software
[20:47.980 --> 20:52.860]  that the user has downloaded or is using,
[20:52.860 --> 20:55.080]  which might intercept communications
[20:55.080 --> 20:58.300]  and potentially steal the keys.
[20:58.440 --> 21:02.320]  If we move into the distributed environments,
[21:02.700 --> 21:04.400]  and again, a good example of this
[21:04.400 --> 21:05.720]  is Ethereum,
[21:05.720 --> 21:10.660]  which leverages the ERC-20 tokens,
[21:10.660 --> 21:12.340]  there are still vulnerabilities
[21:12.340 --> 21:13.580]  in smart contracts,
[21:13.580 --> 21:15.300]  and we'll talk a little bit about more of those.
[21:15.300 --> 21:18.550]  There is the possibility of key compromises.
[21:18.880 --> 21:20.540]  There are DDoS attacks,
[21:20.540 --> 21:22.500]  potential man-in-the-middle attacks,
[21:22.500 --> 21:24.220]  often that occur because
[21:24.220 --> 21:26.120]  there is often an interface
[21:26.120 --> 21:27.940]  between these DApps,
[21:28.020 --> 21:30.220]  a web interface or an API,
[21:30.220 --> 21:32.480]  and again, its users.
[21:32.880 --> 21:34.740]  And so again, depending on where the keys are
[21:35.380 --> 21:37.980]  and the way things get handled,
[21:37.980 --> 21:39.460]  there is some possibility
[21:39.460 --> 21:43.560]  to perform some attacks there.
[21:43.640 --> 21:45.220]  From a protocol perspective,
[21:45.220 --> 21:48.100]  again, all of these distributed apps,
[21:48.100 --> 21:49.100]  Ethereum itself,
[21:49.100 --> 21:51.140]  it's still relatively new,
[21:51.140 --> 21:53.460]  and there may still be some underlying vulnerabilities
[21:54.160 --> 21:57.920]  in the way that the distributed system is working.
[21:58.600 --> 22:00.080]  And I guess we still have to...
[22:00.080 --> 22:01.720]  time will tell whether some of those get
[22:01.720 --> 22:03.820]  out there in the wild or not.
[22:04.720 --> 22:06.380]  The oracles themselves,
[22:06.380 --> 22:07.480]  so again,
[22:07.480 --> 22:08.920]  the whole purpose for having the blockchain
[22:08.920 --> 22:10.840]  and these cryptocurrencies is that they are
[22:12.080 --> 22:13.000]  inherently secure
[22:13.000 --> 22:15.500]  and built with all the wonderful cryptography
[22:15.500 --> 22:17.380]  and so on that's inside them.
[22:17.440 --> 22:20.740]  But when they start relying on third parties,
[22:20.740 --> 22:21.380]  for example,
[22:21.380 --> 22:23.320]  the oracles and exchanges,
[22:23.320 --> 22:25.980]  that's potentially when things can go wrong.
[22:26.220 --> 22:27.220]  So once again,
[22:27.220 --> 22:29.620]  the oracle might be manipulated
[22:29.620 --> 22:32.280]  to provide the wrong interest rates,
[22:32.280 --> 22:33.200]  for example,
[22:33.200 --> 22:35.120]  or an exchange might make a mistake
[22:35.120 --> 22:36.860]  and publish the wrong rates,
[22:36.860 --> 22:40.480]  which could then lead to people taking advantage of that.
[22:41.360 --> 22:44.220]  One thing that we've looked at in our research
[22:44.220 --> 22:47.240]  is the corporate entity itself.
[22:47.240 --> 22:49.580]  And this is really important because
[22:49.580 --> 22:52.020]  these apps are run by people
[22:52.020 --> 22:54.440]  and by a company,
[22:54.440 --> 22:55.800]  often a startup,
[22:55.800 --> 22:57.840]  maybe it's a small organization to start,
[22:57.840 --> 22:59.740]  to begin with that grows.
[22:59.780 --> 23:01.820]  But there are people inside that organization
[23:02.640 --> 23:04.900]  that communicates with customers
[23:04.900 --> 23:06.200]  and with individuals
[23:06.200 --> 23:09.200]  and those that are invested in the tokens
[23:09.200 --> 23:10.300]  and the cryptocurrencies.
[23:11.640 --> 23:14.560]  Some of those people also might operate
[23:14.560 --> 23:18.660]  and have access to the keys and the wallets.
[23:18.760 --> 23:21.020]  Some of them might have to update the smart contracts
[23:21.020 --> 23:22.460]  from time to time.
[23:22.960 --> 23:25.340]  And so the corporate entity itself
[23:25.340 --> 23:26.800]  needs to have a level of security
[23:26.800 --> 23:28.960]  that we would expect of a bank
[23:28.960 --> 23:30.840]  or another financial institution.
[23:31.020 --> 23:31.780]  But of course,
[23:31.780 --> 23:35.520]  because a lot of these organizations are still growing,
[23:35.520 --> 23:37.440]  they may not necessarily have matured yet
[23:37.440 --> 23:41.320]  to provide all the right OPSEC that we would expect.
[23:41.720 --> 23:43.700]  So another route into this environment
[23:43.700 --> 23:46.500]  could potentially be through the entity
[23:46.500 --> 23:50.500]  or the organization that is running the platform,
[23:51.220 --> 23:52.660]  targeting either the employees
[23:52.660 --> 23:54.180]  or some of their resources,
[23:54.180 --> 23:57.480]  their email, their social media, et cetera.
[24:02.240 --> 24:05.380]  So if we look just in the last couple of months,
[24:05.380 --> 24:07.560]  there have been quite a few hacks
[24:07.560 --> 24:10.340]  that have taken place in the DeFi world,
[24:10.340 --> 24:12.720]  most notably the BZX hack,
[24:12.720 --> 24:14.660]  which I'll talk about a little bit later.
[24:15.020 --> 24:18.540]  But literally within a couple of days,
[24:18.540 --> 24:20.360]  they lost around a million dollars
[24:20.940 --> 24:23.020]  in a very sophisticated attack,
[24:23.020 --> 24:25.100]  which impresses a lot of folks
[24:25.100 --> 24:26.840]  that have looked into this.
[24:27.420 --> 24:29.680]  Maker itself, it had a price crash.
[24:29.680 --> 24:31.560]  It wasn't specifically a deliberate attack,
[24:32.000 --> 24:34.620]  but there was a drop in ether
[24:34.620 --> 24:37.380]  that happened for a few seconds.
[24:37.380 --> 24:41.500]  And this landed up causing a lot of mayhem
[24:41.500 --> 24:45.580]  and Maker actually had some liquidity challenges,
[24:45.580 --> 24:49.380]  which actually forced a lot of the users
[24:49.960 --> 24:52.180]  on the platform to have their loans
[24:52.180 --> 24:55.900]  effectively canceled in order for Maker
[24:55.900 --> 24:59.240]  to ensure that it had the right level of liquidity.
[24:59.420 --> 25:01.380]  And there's a big class action suit
[25:02.080 --> 25:04.600]  going on right now for those individuals
[25:04.600 --> 25:07.740]  that have lost money by loaning money into Maker
[25:07.740 --> 25:10.240]  and not being able to get it out again.
[25:11.120 --> 25:12.980]  Again, later in the year,
[25:12.980 --> 25:15.100]  we had INBTC being hacked
[25:15.100 --> 25:19.420]  by an ERC-777 re-entry attack.
[25:19.460 --> 25:21.740]  Now, for those of you that know about
[25:21.740 --> 25:23.800]  the DAO attack that happened a few years ago
[25:23.800 --> 25:25.460]  on the Ethereum platform,
[25:25.460 --> 25:27.880]  this is a very similar type of attack.
[25:28.140 --> 25:30.900]  And interestingly, a day later,
[25:30.900 --> 25:33.740]  there was another platform, LendFme,
[25:33.740 --> 25:35.140]  that lost $25 million
[25:35.740 --> 25:37.740]  because they were using the same source code
[25:37.740 --> 25:42.720]  in their smart contract as another organization.
[25:43.240 --> 25:45.500]  So again, these things kind of can happen
[25:46.240 --> 25:48.280]  in various different ways.
[25:48.880 --> 25:52.340]  Talking a little bit about the BZX hacks,
[25:52.340 --> 25:55.200]  and I don't want to spend too much time in this area,
[25:55.200 --> 25:59.040]  but when we think about hacks and exploits,
[25:59.040 --> 26:01.100]  the ninjas of the security community
[26:01.100 --> 26:05.600]  are running machine code
[26:05.600 --> 26:07.060]  and machine-level assembly
[26:08.060 --> 26:11.960]  to smash the stacks and do buffer overloads
[26:11.960 --> 26:13.320]  and all sorts of things.
[26:13.540 --> 26:16.420]  And what we see here is a different type of hack.
[26:16.420 --> 26:19.280]  We see that somebody with a lot of knowledge
[26:19.280 --> 26:23.400]  was able to leverage the different protocols,
[26:23.400 --> 26:27.460]  leverage the different DEFI protocols out there,
[26:27.460 --> 26:30.160]  DYDX, which was allowing loaning,
[26:30.160 --> 26:34.660]  Compounds, which was allowing interest,
[26:34.660 --> 26:36.840]  the Kyber network and the Uniswap network,
[26:36.840 --> 26:40.860]  which were allowing people to swap coins.
[26:41.020 --> 26:44.620]  And they exploited basically a situation
[26:44.620 --> 26:46.980]  where an exchange was providing
[26:47.700 --> 26:52.120]  a very favorable rate of interest,
[26:52.120 --> 26:53.920]  we call it interest or pricing,
[26:53.920 --> 26:56.140]  for a particular coin combination.
[26:56.140 --> 26:57.840]  And they realized this.
[26:58.240 --> 27:01.360]  They took advantage of something called a flash loan,
[27:01.360 --> 27:04.020]  which is a very interesting concept in the DEFI world
[27:04.020 --> 27:06.580]  that allows people to borrow money
[27:06.580 --> 27:08.500]  without providing any collateral.
[27:08.800 --> 27:10.860]  As long as they borrow the money,
[27:10.860 --> 27:11.980]  carry out a transaction,
[27:11.980 --> 27:14.000]  and pay the money back very quickly,
[27:14.000 --> 27:16.520]  the platform is happy to support that.
[27:16.520 --> 27:19.180]  And that's exactly what happened in this particular instance.
[27:19.180 --> 27:22.580]  So they borrowed some money from the DYDX loan platform,
[27:22.580 --> 27:24.380]  10,000 ETH.
[27:24.380 --> 27:28.380]  They then did some fancy transactions
[27:28.940 --> 27:30.580]  and manipulations.
[27:30.820 --> 27:34.000]  They took advantage of the price hedge,
[27:34.000 --> 27:36.680]  if you like, that they found in the market.
[27:37.380 --> 27:40.780]  And then they were able to then pay back that loan
[27:40.780 --> 27:43.140]  and profit around $300,000
[27:43.140 --> 27:45.700]  for that particular transaction.
[27:46.520 --> 27:48.100]  Literally a few days later,
[27:48.100 --> 27:49.200]  they did the same thing
[27:49.200 --> 27:53.060]  and managed to earn another $600,000.
[27:55.570 --> 27:57.550]  So in response to this,
[27:57.550 --> 28:02.510]  the BZX actually made some really dramatic statements,
[28:02.510 --> 28:04.210]  which I'd like to read out.
[28:04.290 --> 28:07.430]  This attack was one of the most sophisticated we've ever seen,
[28:07.430 --> 28:09.850]  possibly only with an extremely in-depth knowledge
[28:09.850 --> 28:12.470]  of every DEFI protocol and its tools.
[28:12.870 --> 28:15.010]  This space is evolving quickly.
[28:15.130 --> 28:17.410]  The security is becoming increasingly more dire
[28:17.410 --> 28:23.110]  as the barriers to entry for executing an exploit drop to zero.
[28:23.110 --> 28:25.890]  There is no analog for this in the traditional finance system
[28:25.890 --> 28:29.050]  and we're now in uncharted territories.
[28:29.610 --> 28:33.210]  So if that doesn't give you a huge amount of confidence,
[28:33.210 --> 28:38.710]  then you might want to think twice about using these particular platforms.
[28:38.910 --> 28:40.390]  But with anything,
[28:40.390 --> 28:43.250]  this happened on the internet and e-commerce many moons ago,
[28:43.990 --> 28:49.650]  eventually the maturity of the industries get there
[28:49.650 --> 28:53.390]  and it becomes harder to do these types of things.
[28:54.670 --> 29:01.630]  So, again, if you're looking to put some money into one of these platforms,
[29:01.630 --> 29:06.930]  how might you assess whether they're good, they're safe, they're bad, etc.?
[29:06.930 --> 29:09.310]  So that's where our research comes in.
[29:09.310 --> 29:13.710]  And the first thing we did, which, again, I find quite interesting,
[29:13.710 --> 29:15.350]  you know, you think you've got a good idea
[29:15.350 --> 29:17.270]  and you do some googling
[29:17.270 --> 29:19.090]  and then you find out, actually,
[29:19.090 --> 29:21.470]  quite a lot of other people have come up with the same idea.
[29:21.890 --> 29:25.010]  So it's part of the early research.
[29:25.010 --> 29:30.130]  We found that there is an open source group or groups.
[29:30.130 --> 29:32.550]  There's the DefiScore as well as DefiWatch
[29:33.550 --> 29:37.570]  and the Codify project as well
[29:38.530 --> 29:41.970]  that essentially are starting to build out an index
[29:41.970 --> 29:44.990]  of various features on the Defi platform
[29:44.990 --> 29:48.310]  that give us some indication of how risky they may be.
[29:49.150 --> 29:54.290]  So some of the types of things that the DefiScore provides, for example,
[29:54.290 --> 29:57.070]  is looking at, you know, has this particular platform
[29:57.070 --> 30:00.330]  carried out any smart contract audits?
[30:00.330 --> 30:01.590]  How many audits?
[30:01.690 --> 30:04.070]  Do they use a time lock or do they not?
[30:04.230 --> 30:06.650]  Have they implemented some form of multi-signature
[30:07.370 --> 30:10.250]  for protecting those very special admin keys
[30:10.250 --> 30:11.890]  that I spoke about earlier?
[30:12.770 --> 30:16.150]  They also then look into some additional factors
[30:16.150 --> 30:20.870]  which are more linked to the financial viability of the platform.
[30:20.870 --> 30:23.430]  And that includes the liquidity index,
[30:23.430 --> 30:26.870]  centralization index and utilization index.
[30:26.870 --> 30:29.510]  But all of these things come together to form a score out of 10
[30:29.510 --> 30:33.510]  which is there to try and help and guide those
[30:33.510 --> 30:35.650]  that want to potentially put money in.
[30:35.650 --> 30:39.250]  You might get all excited about that 13% rate you're going to get
[30:39.250 --> 30:41.170]  but then you might want to check to see whether
[30:41.170 --> 30:44.110]  that particular platform has scored very well
[30:44.110 --> 30:46.770]  on a DefiScore or on some other score.
[30:47.770 --> 30:49.010]  So with that in mind,
[30:49.010 --> 30:51.750]  we thought we would build upon this platform.
[30:52.070 --> 30:55.270]  And one thing that we did notice is that, again,
[30:55.270 --> 30:57.790]  the communities that developed this
[30:57.790 --> 31:00.090]  actually form part of the community
[31:00.090 --> 31:02.030]  and part of the crypto community.
[31:02.030 --> 31:05.110]  So the focus of their scoring was very much based on
[31:05.110 --> 31:07.610]  some of the things in the crypto world.
[31:07.610 --> 31:10.930]  And so we, coming from a, let's say,
[31:11.030 --> 31:13.050]  a wider cybersecurity perspective,
[31:13.050 --> 31:15.610]  started to think about some of the other OSINTs
[31:16.430 --> 31:19.750]  that we might be able to find about those companies.
[31:19.770 --> 31:21.510]  So we took a traditional approach.
[31:21.510 --> 31:25.610]  We looked at IP addresses, DNS records.
[31:25.970 --> 31:27.490]  We looked at the email platform
[31:27.490 --> 31:31.090]  that these particular providers are using.
[31:31.210 --> 31:35.310]  We looked at a couple of open sources
[31:35.310 --> 31:37.490]  connected to the internet,
[31:37.490 --> 31:40.330]  mail servers, web servers, et cetera.
[31:40.650 --> 31:41.830]  We looked on LinkedIn
[31:41.830 --> 31:45.530]  to see what kind of social media platform they have.
[31:45.530 --> 31:46.530]  We did some third intel
[31:46.530 --> 31:48.490]  to see whether there's any chatter
[31:48.490 --> 31:51.930]  involved in these particular projects.
[31:52.110 --> 31:54.050]  We also assessed the bug bounty
[31:54.050 --> 31:57.570]  and how ready or how mature they are
[31:57.570 --> 32:00.590]  in using the hacking community
[32:00.590 --> 32:04.450]  to find vulnerabilities and publish those.
[32:04.450 --> 32:08.130]  And also whether they were open source or closed source
[32:08.130 --> 32:11.450]  and whether there was any breach history.
[32:11.970 --> 32:14.590]  Finally, we also looked at privacy and cookies
[32:14.590 --> 32:16.490]  just to kind of get a perspective
[32:16.490 --> 32:19.410]  on whether, from a regulatory perspective,
[32:19.410 --> 32:21.010]  these guys are starting to think about
[32:21.010 --> 32:23.190]  some of those really important things
[32:23.190 --> 32:25.230]  that regulators look out for
[32:25.230 --> 32:28.750]  when you're dealing with individuals and consumers,
[32:28.750 --> 32:31.890]  especially those, for example, in Europe under GDPR.
[32:32.810 --> 32:34.990]  On the crypto side,
[32:34.990 --> 32:38.890]  again, we kind of thought through the various indexes
[32:39.570 --> 32:43.690]  that DEFI scored already provided.
[32:43.750 --> 32:45.750]  And then we thought about a few other things
[32:45.750 --> 32:48.130]  like general audits,
[32:48.130 --> 32:53.510]  publication of whether they've been assessed by third parties.
[32:54.110 --> 32:56.710]  We wanted to look into cryptocurrency transactions
[32:56.710 --> 33:00.510]  and whether there was any links
[33:00.510 --> 33:05.630]  between fraudulent transactions and the platforms,
[33:05.630 --> 33:07.370]  the financial backing,
[33:07.370 --> 33:09.810]  and also whether there's any mention of KYC,
[33:09.810 --> 33:12.090]  your client's procedures.
[33:12.090 --> 33:15.450]  Once again, going back to the beginning of my talk,
[33:15.450 --> 33:19.430]  if any of these platforms start to receive cryptocurrency funds
[33:19.430 --> 33:22.130]  as a result of a fraud or an attack,
[33:22.130 --> 33:25.090]  then they shouldn't be accepting them.
[33:25.110 --> 33:28.490]  Or potentially, if they have accepted them,
[33:28.490 --> 33:30.570]  maybe there's something we can do to seize those assets
[33:30.570 --> 33:34.170]  before they go back to those that have stolen them.
[33:36.550 --> 33:40.570]  So I guess just a caveat in terms of the limitations of our research,
[33:40.570 --> 33:43.230]  we sampled 17 projects,
[33:43.230 --> 33:48.470]  both a mix of large, medium, and small DEFI projects.
[33:48.490 --> 33:50.670]  And we did this over a period of seven days.
[33:51.910 --> 33:54.450]  Because of the type of testing that we performed,
[33:54.450 --> 33:56.130]  which was very non-intrusive,
[33:56.130 --> 33:59.050]  obviously we don't have any permission to do any testing.
[33:59.430 --> 34:02.010]  So we could only look at open source information.
[34:02.550 --> 34:05.890]  And as a result of that, some of the findings might be false positives.
[34:06.290 --> 34:09.270]  And of course, there's certain things that are very hard for us to gather
[34:10.010 --> 34:12.770]  from the open source.
[34:13.650 --> 34:16.150]  But also, there are quite a few important things
[34:16.150 --> 34:19.350]  that we definitely were not able to look at.
[34:19.350 --> 34:21.770]  And things like incident response planning,
[34:21.770 --> 34:25.450]  being able to deal very quickly with a breach scenario
[34:25.450 --> 34:27.250]  where perhaps the keys have been stolen,
[34:27.250 --> 34:30.390]  or there is a smart contract vulnerability.
[34:30.870 --> 34:32.450]  Key generation storage.
[34:32.450 --> 34:35.150]  People talk about the fact that they're using multi-sigs,
[34:35.150 --> 34:36.810]  but are they really?
[34:37.310 --> 34:38.950]  Has that been audited?
[34:39.950 --> 34:41.870]  Have they done all the right things?
[34:42.570 --> 34:44.790]  The oracles and exchanges.
[34:44.790 --> 34:47.550]  We didn't look too much into that world.
[34:48.310 --> 34:50.910]  And of course, some of these smart contracts themselves
[34:50.910 --> 34:53.130]  might be linked to other smart contracts.
[34:53.130 --> 34:56.410]  And I mentioned that protocol fuzzing and security
[34:56.410 --> 34:58.570]  is something that we didn't get into either.
[34:59.370 --> 35:03.830]  In terms of the scope and the way that we carried out the testing
[35:03.830 --> 35:05.240]  and the scoring,
[35:05.970 --> 35:09.630]  we did a subjective scoring, fairly simple crude approach
[35:09.630 --> 35:14.510]  where we allocated a score of 1 if the practices are very poor,
[35:14.630 --> 35:17.270]  a 2 for medium, or a 3 for high.
[35:17.590 --> 35:21.730]  We also took the view that we wouldn't necessarily skew
[35:21.730 --> 35:26.810]  any of the findings and weights against particular categories.
[35:26.930 --> 35:29.650]  It's recognized that certain types of tests
[35:29.650 --> 35:32.490]  are going to have more of an impact than others,
[35:32.490 --> 35:34.850]  but also that might depend on the type of attack
[35:34.850 --> 35:36.230]  that we're worried about.
[35:36.370 --> 35:38.810]  So if we're worried about phishing attacks,
[35:38.810 --> 35:40.190]  then certain types of dimensions
[35:40.730 --> 35:43.170]  will actually carry more weight than others.
[35:43.210 --> 35:46.570]  If we're more worried about, for example,
[35:46.570 --> 35:48.690]  the smart contracts having poor code,
[35:48.690 --> 35:52.370]  then we would have a higher weight on some of the categories
[35:52.910 --> 35:55.090]  that link into smart contracts.
[35:56.550 --> 35:59.910]  So without further ado, I'll talk about some of the results.
[36:00.050 --> 36:02.530]  And as you can see on the left-hand side,
[36:02.530 --> 36:05.950]  we've basically segmented the vendors
[36:05.950 --> 36:08.490]  into large, medium, and small.
[36:08.830 --> 36:12.650]  The red, again, are those organizations
[36:12.650 --> 36:16.230]  that have been marked as having very low security,
[36:16.230 --> 36:17.410]  in our opinion.
[36:18.110 --> 36:20.490]  Those in the middle with the yellow,
[36:20.490 --> 36:25.250]  and those that are doing pretty well in the green.
[36:25.730 --> 36:29.090]  And as you can see, if we start with a multi-sig,
[36:29.090 --> 36:32.950]  we have quite a lot of small and mid-sized companies
[36:32.950 --> 36:35.210]  that haven't gone with this multi-sig approach.
[36:35.650 --> 36:38.930]  And I guess it's a bit disappointing, in a way,
[36:38.930 --> 36:42.190]  because a lot of these projects are small,
[36:42.190 --> 36:45.990]  but they can grow very big very quickly.
[36:45.990 --> 36:49.510]  And if they haven't done the basics of setting up
[36:49.510 --> 36:52.050]  their wallets and their key administration
[36:52.050 --> 36:54.090]  the right way in the early days,
[36:54.090 --> 36:56.410]  then it can be quite difficult to retrofit that
[36:56.990 --> 37:00.070]  as the project goes from zero to hero.
[37:00.970 --> 37:03.870]  Also, interestingly, in the large category,
[37:03.870 --> 37:07.110]  there was one that wasn't using multi-sig,
[37:07.110 --> 37:09.070]  which, again, was quite a surprise.
[37:09.770 --> 37:13.810]  And these multi-sigs also range from 2 of 2
[37:13.810 --> 37:18.410]  all the way to 3 of 5 or 3 of 8.
[37:18.610 --> 37:21.610]  So there were quite a few that are starting to adopt
[37:21.610 --> 37:24.490]  what I call very good practices around having
[37:25.510 --> 37:29.550]  potentially quite a few multi-signatories
[37:29.550 --> 37:33.010]  having access to the keys,
[37:33.010 --> 37:36.910]  often distributed across different organizations as well,
[37:36.910 --> 37:39.810]  to really make it effective.
[37:40.510 --> 37:42.410]  But one of the issues here, again,
[37:42.410 --> 37:44.550]  is that it's very hard to tell exactly
[37:44.550 --> 37:46.070]  how this was implemented.
[37:46.510 --> 37:48.470]  You can have multi-signatures,
[37:48.470 --> 37:50.850]  but you could have three signatures.
[37:50.850 --> 37:51.870]  Maybe they're paper-based,
[37:51.870 --> 37:53.730]  but they're all in the same place.
[37:54.650 --> 37:58.250]  And therefore, the kind of op-sec on the key management
[37:58.250 --> 38:02.250]  is something that is very hard to distill.
[38:02.830 --> 38:06.150]  There also weren't many talking about, if not any,
[38:06.150 --> 38:08.990]  talking about audits that these companies had done
[38:08.990 --> 38:11.890]  on their key generation process,
[38:11.890 --> 38:13.290]  which I think is fundamental
[38:13.290 --> 38:15.730]  and something that happens a lot
[38:15.730 --> 38:18.630]  in the traditional finance industry today.
[38:19.610 --> 38:20.590]  Time locks.
[38:20.590 --> 38:23.170]  So once again, I mentioned this earlier,
[38:23.170 --> 38:25.410]  I think it's a pretty good idea to do this.
[38:25.410 --> 38:26.870]  It gives some confidence
[38:26.870 --> 38:28.910]  to those that are using the platform
[38:28.910 --> 38:30.770]  that if something goes wrong by mistake
[38:30.770 --> 38:33.170]  or potentially, again,
[38:33.170 --> 38:35.850]  because somebody's done something bad,
[38:35.850 --> 38:37.850]  there is a way to roll back.
[38:37.850 --> 38:39.370]  There's a way to monitor
[38:39.370 --> 38:43.550]  and get ahead of the transactions
[38:44.190 --> 38:46.270]  and do something about it.
[38:46.270 --> 38:47.870]  And once again, you can see a mixture
[38:47.870 --> 38:50.970]  of large, medium, and small companies
[38:50.970 --> 38:53.510]  that actually haven't implemented this.
[38:54.310 --> 38:58.530]  As we move on to the other thing of interest
[38:58.530 --> 39:00.710]  on the time lock side was, again,
[39:00.710 --> 39:03.750]  some projects are using 48 hours,
[39:03.750 --> 39:07.030]  some are using four hours, others 72.
[39:07.030 --> 39:11.010]  Again, I kind of, as a more conservative individual,
[39:11.010 --> 39:13.950]  would rather go with a slightly longer period.
[39:13.950 --> 39:15.570]  It might mean that certain transactions
[39:15.570 --> 39:17.870]  take a little bit longer to take place,
[39:17.870 --> 39:19.490]  but at least I know that if I put my Bitcoin
[39:19.490 --> 39:22.850]  into that platform and something goes wrong,
[39:22.850 --> 39:25.910]  I've got a chance of keeping it
[39:26.690 --> 39:29.210]  rather than the purest approach
[39:29.210 --> 39:31.290]  of decentralization
[39:32.350 --> 39:34.610]  where effectively the transactions happen
[39:34.610 --> 39:37.010]  and there's nothing you can do about it.
[39:38.590 --> 39:41.030]  From an Oracle perspective, again,
[39:41.030 --> 39:42.830]  some interesting results on those
[39:42.830 --> 39:46.550]  that are using Oracles, external Oracles,
[39:46.550 --> 39:48.630]  those are some that are using their own.
[39:49.310 --> 39:52.230]  And we found some interesting concentration risk
[39:52.230 --> 39:55.310]  in this space where quite a few organizations
[39:55.310 --> 39:57.180]  are using the same external Oracle,
[39:57.650 --> 40:00.430]  so that might potentially ring some alarm bells
[40:01.150 --> 40:03.390]  if those particular Oracles
[40:03.390 --> 40:05.630]  are not set up in the right way.
[40:05.630 --> 40:07.830]  Something that was really disappointing
[40:07.830 --> 40:12.530]  was no real discussions around KYC.
[40:12.730 --> 40:15.350]  And again, I think this is really important
[40:15.350 --> 40:17.210]  in the longer term
[40:17.210 --> 40:19.930]  if you want to have a legitimate business
[40:19.930 --> 40:23.750]  that's going to deal with the kind of wider markets,
[40:23.750 --> 40:25.530]  the wider finance markets.
[40:26.030 --> 40:28.430]  And this is something that for whatever reason
[40:28.430 --> 40:31.270]  these players are not necessarily
[40:31.270 --> 40:33.470]  too focused on today.
[40:33.470 --> 40:36.930]  I suspect that as the industry matures
[40:37.810 --> 40:41.850]  and some of the platforms do want to
[40:41.850 --> 40:43.810]  become more regulated,
[40:44.190 --> 40:46.210]  this will have to change.
[40:46.750 --> 40:48.930]  On the smart contract side, again,
[40:48.930 --> 40:50.270]  kind of a mix.
[40:50.270 --> 40:52.530]  For this particular dimension,
[40:52.530 --> 40:55.150]  we looked at whether the smart contracts
[40:55.150 --> 41:00.570]  were being reused by other organizations,
[41:00.570 --> 41:02.770]  and we found quite a few of those.
[41:02.770 --> 41:05.310]  A couple of smart contracts that had been compiled
[41:05.310 --> 41:08.210]  with older versions of compilers,
[41:08.210 --> 41:09.990]  some of which are known to have
[41:09.990 --> 41:13.010]  security weaknesses in them.
[41:13.670 --> 41:17.190]  And then quite a few that
[41:18.130 --> 41:20.770]  actually were not very forthcoming
[41:20.770 --> 41:23.430]  with publishing certain information
[41:23.430 --> 41:25.070]  about their smart contracts.
[41:25.610 --> 41:27.770]  We did see some very positive signs
[41:28.350 --> 41:31.110]  on the side of smart contract audits.
[41:31.110 --> 41:33.770]  And here are quite a few of the platforms
[41:33.770 --> 41:35.950]  are doing regular audits.
[41:36.030 --> 41:38.270]  It kind of ranged from 2 to 15,
[41:38.710 --> 41:40.290]  and that kind of got me thinking,
[41:40.290 --> 41:41.970]  well, maybe you need to audit these things
[41:42.090 --> 41:43.270]  a bit more frequently.
[41:43.830 --> 41:45.930]  But what was quite strange was that
[41:47.310 --> 41:50.450]  probably aligned to the whole open-source methodology,
[41:50.450 --> 41:52.530]  the audit results were open-sourced
[41:52.530 --> 41:55.050]  as well as all of the audit reports.
[41:55.430 --> 41:58.030]  And this contains a wealth of information
[41:58.030 --> 42:01.030]  about what the testers did,
[42:01.770 --> 42:04.030]  pieces and snippets of source code,
[42:04.030 --> 42:07.670]  and various types of vulnerabilities that they found,
[42:07.670 --> 42:10.870]  which personally I think might be a little bit unnecessary.
[42:11.430 --> 42:13.730]  I think it's good that an audit has happened.
[42:13.730 --> 42:17.690]  It's good to understand that remediation was taking place,
[42:17.690 --> 42:20.610]  but really to show the full-blown audits every time
[42:20.610 --> 42:23.470]  might be giving a little bit away,
[42:23.470 --> 42:26.450]  especially if those testers didn't find all the holes
[42:26.450 --> 42:30.550]  and perhaps there are a few extra things that aren't there.
[42:30.970 --> 42:34.090]  Great news for the community at DEF CON
[42:34.090 --> 42:37.450]  that are involved in bug bounty programs
[42:37.450 --> 42:39.330]  and supporting them.
[42:39.550 --> 42:43.230]  Some good indications that the DEFI industry
[42:43.230 --> 42:46.410]  is taking this on board as well.
[42:46.410 --> 42:48.410]  And if you're interested, go and have a look.
[42:48.410 --> 42:53.630]  Programs vary from $10,000 all the way up to $250,000.
[42:54.510 --> 42:57.490]  So put down those laptops and get started.
[42:57.950 --> 43:00.350]  Interestingly enough, a few projects are actually
[43:00.350 --> 43:03.810]  not offering to pay you in real money,
[43:03.810 --> 43:06.810]  but to pay you in their own tokens,
[43:06.810 --> 43:09.150]  which again potentially could be very valuable
[43:09.150 --> 43:13.390]  or potentially not, depending on the circumstances.
[43:15.410 --> 43:18.950]  If we have a look at the general OSINT,
[43:18.950 --> 43:21.590]  one of the first things we did was we looked at
[43:21.590 --> 43:25.570]  whether these particular organizations had been hacked in the past.
[43:25.950 --> 43:28.970]  I decided to redact the findings in that section
[43:28.970 --> 43:32.610]  because it might indicate some of the organizations
[43:32.610 --> 43:34.650]  involved in our study.
[43:35.610 --> 43:38.230]  What I can say is that there was a mix
[43:39.030 --> 43:42.590]  of large, medium and small organizations
[43:42.590 --> 43:45.210]  that have been hit in the past.
[43:46.050 --> 43:49.510]  And again, is that an indicator that the company is bad?
[43:49.510 --> 43:52.290]  Or is it an indicator that because they've been hit,
[43:52.290 --> 43:54.930]  they've actually now put in a lot better controls,
[43:54.930 --> 43:57.710]  they've learned their lesson and they're improving their security?
[43:58.050 --> 44:00.470]  And often in my experience, those that have a breach
[44:00.470 --> 44:04.690]  do come out of it a lot better in the longer term if they're still around.
[44:06.130 --> 44:08.250]  So that's kind of one factor.
[44:08.690 --> 44:12.750]  We did look into credentials that are on the web
[44:12.750 --> 44:15.110]  and on the darknet that have been sold
[44:16.370 --> 44:18.350]  for particular platforms.
[44:18.350 --> 44:20.790]  And that was on average pretty good.
[44:20.790 --> 44:24.410]  As you can see, there was a surprisingly large organization
[44:25.030 --> 44:28.090]  that had quite a lot of data published.
[44:28.090 --> 44:31.510]  And this is something that we will need to take up
[44:31.510 --> 44:33.750]  with the vendor directly
[44:34.710 --> 44:37.390]  because I think it's something that they should be looking into.
[44:39.770 --> 44:41.670]  But otherwise, pretty good.
[44:41.710 --> 44:45.050]  And once again, this is the kind of thing that's a bit hit and miss.
[44:45.190 --> 44:47.330]  But it was interesting that we did get two results
[44:47.330 --> 44:50.710]  coming through that particular dimension.
[44:51.190 --> 44:52.870]  Anti-spam protection.
[44:53.250 --> 44:56.270]  Obviously, we discussed how important phishing is
[44:56.270 --> 45:00.050]  to either the users that could be targeted
[45:00.050 --> 45:05.490]  and also the individuals that are working for the platform.
[45:05.910 --> 45:08.650]  And here, we did find that
[45:08.650 --> 45:10.770]  the maturity within the space
[45:11.330 --> 45:16.210]  was actually okay for protocols like SPF
[45:16.210 --> 45:20.370]  but for DMARC, it was actually around 50%.
[45:20.370 --> 45:24.950]  And for DECIM, it was very low as well.
[45:24.950 --> 45:27.030]  So I think there's definitely some room for improvement
[45:27.030 --> 45:32.010]  for these companies to be setting up their DNS records
[45:32.010 --> 45:34.570]  and their mail records so that they can
[45:34.570 --> 45:37.510]  better protect themselves and their customers from
[45:38.650 --> 45:41.410]  phishing-related attacks.
[45:41.810 --> 45:43.430]  I mentioned infrastructure
[45:43.430 --> 45:46.390]  and we took a very hands-off approach to this,
[45:46.390 --> 45:48.710]  so we looked in Shodan
[45:49.390 --> 45:52.390]  and pointed some of the project IP addresses
[45:52.390 --> 45:54.730]  to the Shodan platform.
[45:54.890 --> 45:58.170]  And we came up with a couple of interesting results.
[45:58.430 --> 46:01.310]  Some unnecessary ports, some remote access
[46:02.810 --> 46:05.250]  facilities that perhaps shouldn't be there.
[46:05.370 --> 46:07.470]  But again, kind of a mix and something that
[46:07.470 --> 46:10.830]  you probably would find if you did a proper scan
[46:10.830 --> 46:13.170]  on a lot of organizations.
[46:13.590 --> 46:16.130]  But definitely something that needs improvement
[46:17.350 --> 46:21.410]  for the reasons that I've spoken about before.
[46:21.430 --> 46:23.110]  We dipped into the
[46:23.110 --> 46:26.310]  Darknet chatter and we had a look to see
[46:26.310 --> 46:30.230]  who was talking about particular projects.
[46:30.790 --> 46:31.750]  And again, we found
[46:31.750 --> 46:34.970]  some information, nothing earth-shattering,
[46:34.970 --> 46:37.830]  but definitely some talk about
[46:37.830 --> 46:41.270]  targeting or weaknesses,
[46:41.270 --> 46:44.410]  vulnerabilities, etc. And again, this is something
[46:44.410 --> 46:46.950]  that probably the project
[46:46.950 --> 46:50.250]  owners should definitely be dialing into
[46:50.250 --> 46:52.930]  just to make sure there's nothing major
[46:52.930 --> 46:56.450]  that's being discussed and giving them a head start
[46:56.450 --> 46:59.870]  to try and fix any issues that arise.
[47:00.630 --> 47:02.130]  From a social media perspective,
[47:02.130 --> 47:04.370]  we just chose LinkedIn. We had a look at
[47:04.370 --> 47:08.410]  individuals that belong to these projects.
[47:10.050 --> 47:11.410]  Interestingly, I was looking
[47:11.410 --> 47:14.490]  for some CISOs or kind of security managers
[47:14.490 --> 47:16.870]  and I didn't find many. So either
[47:16.870 --> 47:19.970]  those involved are pretty good with their own
[47:19.970 --> 47:24.050]  OSINT, or perhaps, and I think this is more likely,
[47:24.050 --> 47:26.490]  there aren't too many people in these organizations
[47:26.490 --> 47:29.330]  that have the title of CISO or security manager.
[47:29.490 --> 47:32.410]  We saw a lot of CTOs, we saw a lot of COOs,
[47:32.410 --> 47:36.490]  but not that many people with a security title.
[47:36.970 --> 47:38.970]  And that, again, is just something
[47:38.970 --> 47:41.250]  to be wary of.
[47:41.250 --> 47:44.750]  If you don't have anyone focused and dedicated
[47:44.750 --> 47:48.010]  in the space, then you might fall short
[47:49.150 --> 47:51.150]  and that's kind of why
[47:51.150 --> 47:54.810]  you need to take these things a little bit more seriously.
[47:54.990 --> 47:57.550]  Quite a few people in the IT department
[47:57.550 --> 47:59.990]  publishing information about themselves
[47:59.990 --> 48:04.110]  and, again, that could be potentially used as a target.
[48:05.250 --> 48:06.750]  Kind of very old OSINT around
[48:06.750 --> 48:09.650]  Whois. Most people did this very well.
[48:09.830 --> 48:12.390]  We did come across one company that was allegedly
[48:12.390 --> 48:15.410]  in stealth mode, but had leaked
[48:15.410 --> 48:19.190]  some of the details in the Whois information.
[48:19.510 --> 48:22.050]  But pretty good on that side.
[48:22.490 --> 48:24.130]  And then data privacy policies
[48:24.790 --> 48:27.470]  as well as cookies. We did a quick check
[48:27.470 --> 48:31.370]  on whether these particular aspects would be taken care of
[48:31.370 --> 48:33.290]  on the websites.
[48:33.290 --> 48:36.750]  We found that most were not compliant to GDPR
[48:36.750 --> 48:40.190]  and, actually, some of the privacy policies
[48:40.190 --> 48:43.130]  fell short of some of the requirements
[48:43.130 --> 48:46.090]  that are expected. So, once again,
[48:46.090 --> 48:48.150]  these organizations dealing with consumers
[48:48.150 --> 48:51.530]  might need to dial into this vector
[48:52.490 --> 48:55.970]  as well because it could come back to bite them.
[48:55.970 --> 48:59.070]  On a hosting side and as well as on an email
[48:59.070 --> 49:01.810]  platform side, we saw some concentration
[49:01.810 --> 49:04.970]  risk on particular vendors being chosen
[49:04.970 --> 49:07.650]  to host websites
[49:07.650 --> 49:10.650]  to support DDoS platforms
[49:10.650 --> 49:14.690]  and also to support the email platform as well.
[49:16.110 --> 49:16.810]  So, I guess some
[49:16.810 --> 49:20.250]  of the highlights, again, smart contracts, 64%
[49:20.250 --> 49:22.510]  were being audited
[49:22.510 --> 49:25.270]  but the full results were published.
[49:25.910 --> 49:28.930]  64% of the smart contracts required some kind of
[49:28.930 --> 49:31.350]  improvements either because of reuse or
[49:31.350 --> 49:33.410]  older compilers being used.
[49:34.050 --> 49:37.570]  Some vendor concentration in the use of
[49:37.570 --> 49:39.670]  external oracles.
[49:40.550 --> 49:43.530]  Time locks, again, 58% not using them. That's a bit
[49:43.530 --> 49:46.670]  disappointing. Almost 50% not using
[49:46.670 --> 49:49.050]  multi-signatures and
[49:49.050 --> 49:52.210]  missing audits in the key management space
[49:52.210 --> 49:55.130]  as well as per KYC and privacy
[49:55.130 --> 49:56.530]  activities.
[49:58.210 --> 50:01.470]  Right, on the OSINT side, great registration
[50:01.470 --> 50:05.650]  on the IP, mixed DNS results as I mentioned,
[50:05.650 --> 50:07.330]  some chatter going on, credentials
[50:07.330 --> 50:09.890]  being dumped per cookies and
[50:10.650 --> 50:12.290]  privacy policy management
[50:13.050 --> 50:16.430]  and so on.
[50:18.550 --> 50:21.070]  So, with the scoring, we
[50:21.070 --> 50:23.190]  basically put together our score and
[50:24.030 --> 50:26.990]  allocated out the various
[50:27.750 --> 50:29.890]  companies against the score
[50:29.890 --> 50:33.130]  and you kind of see kind of a mix. It's not a huge
[50:33.130 --> 50:36.070]  differential. Some of that
[50:36.070 --> 50:39.210]  differentiation was coming in to very particular dimensions
[50:39.210 --> 50:42.330]  that we assessed. Interestingly,
[50:42.330 --> 50:45.110]  looking at the DEFI score itself, we actually found
[50:45.110 --> 50:47.950]  that of the companies we looked at,
[50:47.950 --> 50:50.470]  50% of them had the same kind of ranking
[50:51.210 --> 50:54.250]  as our scoring, but actually
[50:54.250 --> 50:57.550]  33% were worse and 70%
[50:57.550 --> 50:59.550]  were slightly better.
[51:00.150 --> 51:03.110]  Therefore, our conclusion in this is
[51:03.110 --> 51:05.430]  definitely that we need a combination of
[51:06.110 --> 51:09.150]  both crypto and Open OSINT in order
[51:09.150 --> 51:11.330]  to tackle this thing correctly.
[51:11.330 --> 51:14.370]  By breaking it up into large, medium and
[51:14.370 --> 51:17.190]  small, some of the results that can be seen there
[51:17.190 --> 51:20.650]  do indicate, as expected, the larger projects
[51:21.330 --> 51:23.530]  probably are ahead in certain areas
[51:24.510 --> 51:25.150]  but
[51:27.270 --> 51:29.310]  definitely there is some room
[51:29.310 --> 51:31.130]  for improvement.
[51:32.250 --> 51:35.830]  Similarly, when we look at the OSINT,
[51:35.830 --> 51:38.430]  we can see there that there are a couple of
[51:38.430 --> 51:40.590]  large projects that actually fall
[51:41.410 --> 51:44.530]  behind the mark compared to some of the
[51:44.530 --> 51:47.050]  medium and small businesses
[51:47.050 --> 51:50.570]  but often the small and medium ones are the ones
[51:50.570 --> 51:52.530]  that actually do need to
[51:53.890 --> 51:55.330]  improve.
[51:57.550 --> 52:00.010]  Okay, so wrapping up,
[52:00.010 --> 52:02.510]  our conclusion is that DEFI
[52:02.510 --> 52:05.470]  definitely needs to do even more to maintain trust and
[52:05.470 --> 52:06.990]  stay out of the headlines.
[52:07.310 --> 52:11.390]  Whilst we are encouraged that there are some
[52:11.390 --> 52:13.970]  community-driven activities to provide transparency
[52:13.970 --> 52:17.130]  and raise the bar, not everybody is covered
[52:17.130 --> 52:19.930]  in these community-driven activities
[52:20.470 --> 52:23.030]  and there are a few extra dimensions around
[52:23.030 --> 52:25.950]  security and OSINT that we think need to be added.
[52:26.090 --> 52:28.410]  A lot of goodness out there but not really
[52:28.410 --> 52:31.790]  full consistency. And as I described,
[52:31.790 --> 52:34.890]  quite a few of the larger players that are
[52:34.890 --> 52:37.890]  mature but there are some that are not fully there
[52:37.890 --> 52:40.790]  and are missing the mark. We did find some
[52:40.790 --> 52:43.050]  isolated, highly vulnerable indicators
[52:43.790 --> 52:46.230]  of potential issues.
[52:46.630 --> 52:49.250]  We do see some high potential for phishing attacks
[52:49.790 --> 52:52.890]  given the concentration of usage
[52:52.890 --> 52:55.510]  of certain email platforms that
[52:55.510 --> 52:58.950]  the industry is relying on. And also
[52:58.950 --> 53:01.930]  some smart contracts improvements on the management
[53:01.930 --> 53:04.410]  of those contracts that need to be done, especially
[53:04.410 --> 53:07.930]  around reuse and looking into the
[53:08.690 --> 53:11.110]  compilers that are compiling the code.
[53:11.830 --> 53:13.830]  Once again, I think I mentioned this a few times
[53:13.830 --> 53:17.050]  but just wanted to repeat it again. Lack of transparency
[53:17.050 --> 53:20.110]  on the key OPSEC. Again, if those
[53:20.110 --> 53:22.130]  keys get stolen,
[53:22.130 --> 53:25.990]  there is a chance of the smart contracts
[53:25.990 --> 53:28.730]  being rewritten and changed. But
[53:28.730 --> 53:31.910]  we don't know how well that's being done. And
[53:31.910 --> 53:35.390]  I think the industry and stakeholders would be keenly
[53:35.390 --> 53:39.010]  interested to see how that happens in practice.
[53:39.290 --> 53:41.050]  And as we move towards a more
[53:41.050 --> 53:44.130]  regulated environment, data privacy and KYC
[53:44.130 --> 53:47.250]  are also extremely important.
[53:48.010 --> 53:50.730]  So, some final recommendations.
[53:50.730 --> 53:53.830]  Lock down your G Suites and Office 365 environments.
[53:53.830 --> 53:56.070]  Train your staff to minimize
[53:56.830 --> 53:59.490]  public information leaks and phishing attacks.
[53:59.970 --> 54:02.830]  Dip into the world of fake intelligence and
[54:02.830 --> 54:05.790]  look into stolen credentials and chatter just to make sure
[54:05.790 --> 54:08.870]  that you're not on the list. Check out
[54:08.870 --> 54:11.750]  and make sure that your dependency on vendors
[54:11.750 --> 54:14.510]  is appropriate and that there's not too much
[54:14.510 --> 54:17.250]  concentration risk associated with certain
[54:17.830 --> 54:20.190]  suppliers, vendors, oracles, etc.
[54:20.190 --> 54:23.110]  Make sure that you're using the right level of
[54:23.110 --> 54:25.450]  security on your email domains.
[54:27.520 --> 54:30.600]  On the crypto side, again, tuning into the threat
[54:30.600 --> 54:33.540]  intelligence is important. Regular code reviews
[54:33.540 --> 54:36.180]  but don't necessarily publish everything.
[54:37.260 --> 54:39.660]  Provide greater assurance over the OPSEC.
[54:40.300 --> 54:42.860]  Ensure that those oracles are protected and can be
[54:42.860 --> 54:45.400]  really trusted. For those of you that
[54:45.400 --> 54:49.140]  are not implementing bug bounty programs,
[54:49.140 --> 54:51.580]  have a look at them. I think there's a lot of value in them.
[54:52.900 --> 54:55.840]  And make sure the keys are adequately protected.
[54:56.840 --> 54:59.000]  Whilst I know there's a strong move towards
[54:59.560 --> 55:02.100]  decentralization, I do think an element of
[55:02.100 --> 55:04.920]  governance for centralization is the way to go.
[55:05.580 --> 55:07.880]  And I see that as the
[55:07.880 --> 55:10.700]  kind of future stable way in which
[55:10.700 --> 55:12.740]  DEFI projects will succeed.
[55:13.980 --> 55:16.680]  From a research perspective, I think that there's still
[55:16.680 --> 55:19.600]  quite a lot to do here. It would be great to
[55:19.600 --> 55:22.620]  have an automated scoring process, very similar
[55:22.620 --> 55:25.680]  to what DEFI score has for the
[55:25.680 --> 55:28.420]  crypto controls.
[55:28.600 --> 55:31.540]  I think we can expand out into the general OSINT
[55:31.540 --> 55:34.680]  as I mentioned before. It would be great to
[55:34.680 --> 55:37.360]  have some better tools and visibility on smart
[55:37.360 --> 55:40.740]  contract code that's automated,
[55:40.740 --> 55:43.640]  that can be published and is available to the community.
[55:43.640 --> 55:46.560]  I think further adoption of transaction analysis
[55:46.560 --> 55:49.740]  for KYC and fraud is going to be really important
[55:49.740 --> 55:53.020]  to make DEFI kind of hit the
[55:53.020 --> 55:56.240]  prime time in the future. And of course,
[55:56.240 --> 55:59.020]  doing protocol stress testing
[55:59.020 --> 56:00.980]  and further
[56:02.660 --> 56:04.940]  digging into the key management
[56:04.940 --> 56:08.400]  OPSEC is also really important.
[56:09.360 --> 56:11.060]  With that, I'd like to
[56:11.060 --> 56:14.240]  give a very special thanks to some folks
[56:14.240 --> 56:17.420]  that helped me through this presentation.
[56:17.900 --> 56:19.520]  Specifically, Danny Howard, who
[56:20.280 --> 56:23.260]  was responsible for the illustrious slides
[56:23.260 --> 56:25.640]  that have been put together.
[56:26.240 --> 56:29.200]  Nick and Ferez helped out with some of the research.
[56:29.540 --> 56:32.240]  This particular piece of work also couldn't have been done without
[56:32.240 --> 56:34.880]  leveraging a lot of valuable resources
[56:34.880 --> 56:39.320]  from the DEFI score project, the DEFI watch project,
[56:39.320 --> 56:42.000]  and also DEFI Prime. So I encourage you to
[56:43.340 --> 56:45.560]  link out, reach out to these particular
[56:45.560 --> 56:48.920]  sites if you want to learn more.
[56:49.660 --> 56:51.240]  And then I think I might have a little bit
[56:51.240 --> 56:54.020]  of time for questions. So I am
[56:54.020 --> 56:56.760]  listening in on the presentation
[56:57.190 --> 56:59.940]  that's happening right now. So feel free to
[57:00.980 --> 57:03.700]  reach out with any questions that I can answer.
[57:04.160 --> 57:06.240]  And I appreciate it and hope to see you
[57:06.240 --> 57:09.940]  next year in Vegas for another chat.
[57:12.440 --> 57:14.260]  Goodbye and stay safe.
